Security
Centrifuge security highlights:
- 24 security reviews to date for the Centrifuge protocol, including tier-1 audit firms Spearbit and Blackthorn.
- Launched on mainnet in 2019, 0 exploits.
- $250,000 bug bounty program live.
The protocol codebase is fully immutable, and any emergency functions are locked behind a 48-hour timelock.
Security reviews
Protocol
| Auditor | Scope | Date | Engagement | Report |
|---|---|---|---|---|
| Sherlock | V3.1 | Feb 2026 | Deployment verification | Report |
| yAudit | V3.1 | Jan 2026 | Security review | Report |
| Sherlock, Blackthorn | V3.1 | Nov-Dec 2025 | Audit competition | Report |
| xmxanuel | V3.1 | Dec 2025 | Security review | Report |
| yAudit | V3.1 | Oct 2025 | Security review | Report |
| BurraSec | V3.1 | Oct 2025 | Security review | Report |
| BurraSec | V3.1 | Sep 2025 | Security review | Report |
| BurraSec | LayerZero adapter | Aug 2025 | Security review | Report |
| Spearbit | V3.0 | July 2025 | Security review | Report |
| xmxanuel | V3.0 | May-July 2025 | Security review | Report |
| Macro | Merkle Proof Manager | June 2025 | Security review | Report |
| yAudit | Spoke/Vaults | June 2025 | Security review | Report |
| Spearbit | V3.0 | May 2025 | Security review | Report |
| BurraSec | Gateway | May 2025 | Security review | Report |
| Alex the Entreprenerd | V3.0 | Apr 2025 | Review + invariant testing | Report |
| BurraSec | Gateway | Apr 2025 | Security review | Part 1 Part 2 |
| xmxanuel | V3.0 | Mar 2025 | Security review | Report |
| Spearbit | V2.1 | Feb 2025 | Security review | Report |
| Recon | V2.0 | Jan 2025 | Invariant testing | Report |
| Spearbit | V2.0 | July 2024 | Security review | Report |
| Spearbit | Morpho integration | June 2024 | Security review | Report |
| Alex the Entreprenerd | V2.0 | Mar - Apr 2024 | Review + invariant testing | Part 1 Part 2 |
| Spearbit | V1.0 | Oct 2023 | Security review | Report |
| Code4rena | V1.0 | Sep 2023 | Audit competition | Report |
| SRLabs | V1.0 | Sep 2023 | Security review | Report |
Operational securitiy
The core team contributing to Centrifuge has completed an operational security review with OPSEK.
Bug bounty
Centrifuge runs an active bug bounty program with a $250,000 maximum reward, available on Cantina.
Guardian
The protocol is controlled by the Root contract, which has access on all other contracts. The Root contract enforces a 48-hour delay for any upgrades and configuration changes.
Each deployment has a Guardian role, who is authorized on the Root contract. The Guardian can pause in emergencies, schedule upgrades, and set up adapters to new networks.
Every transaction is verified by third-party signers from Cantina.
| Network | Guardian |
|---|---|
| Ethereum Mainnet | 0xCEb7eD5d5B3bAD3088f6A1697738B60d829635c6 |
| Base | 0xCEb7eD5d5B3bAD3088f6A1697738B60d829635c6 |
| Arbitrum | 0xCEb7eD5d5B3bAD3088f6A1697738B60d829635c6 |
| Plume | 0xCEb7eD5d5B3bAD3088f6A1697738B60d829635c6 |
| Avalanche | 0xCEb7eD5d5B3bAD3088f6A1697738B60d829635c6 |
| BNB Smart Chain | 0xCEb7eD5d5B3bAD3088f6A1697738B60d829635c6 |